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Abstract. We show how to give a coherent semantics to programs that are well-specified 
in a version of separation logic for a language with higher types: idealized algol extended 
with heaps (but with immutable stack variables). In particular, we provide simple sound 
rules for deriving higher-order frame rules, allowing for local reasoning. 



1. Introduction 

Separation logic [T71 HH El O S H] is a Hoare-style program logic, and variants of it have 
been applied to prove correct interesting pointer algorithms such as copying a dag, disposing 
a graph, the Schorr- Waite graph algorithm, and Cheney's copying garbage collector. The 
main advantage of separation logic compared to ordinary Hoare logic is that it facilitates 
local reasoning, formalized via the so-called frame rule using a connective called separating 
conjunction. The development of separation logic has mostly focused on low-level languages 
with heaps and pointers, although in recent work [9] it was shown how to extend separation 
logic to a language with a simple kind of procedures, and a second-order frame rule was 
proved sound. 

Our aim here is to extend the study of separation logic to high-level languages, in 
particular to higher-order languages, in such a way that a wide collection of frame rules 
are sound, thus allowing for local reasoning in the presence of higher-order procedures. For 
concreteness, we choose to focus on the language of idealized algol extended with heaps 
and pointers and we develop a semantics for this language in which all commands and 
procedures are appropriately local. Our approach is to refine the type system of idealized 
algol extended with heaps, essentially by making specifications be types, and give semantics 
to well-specified programs. Thus we develop a separation-logic type system for idealized algol 
extended with heaps. It is a dependent type theory and the types include Hoare triples, rules 
corresponding to the rules of separation logic, and subtyping rules formalizing higher-order 
versions of the frame rule of separation logic. 
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Our type system is related to modern proposals for type systems for low-level imperative 
languages, such as TAL [7], in that types may express state changes (since they include forms 
of Hoare triples as types). The type system for TAL was proved sound using an operational 
semantics. We provide a soundness proof of our type system using a denotational semantics 
which we, moreover, formally relate to the standard semantics for idealized algol [111 118] . 
The denotational semantics of a well-typed program is given by induction on its typing 
derivation and the relation to the standard semantics for idealized algol is then used to 
prove that the semantics is coherent (i.e., is independent of the chosen typing derivation). 
We should perhaps stress that soundness is not a trivial issue: Reynolds has shown [9] that 
already the soundness of the second-order frame rule is tricky, by proving that if a proof 
system contains the second-order frame rule and the conjunction rule, together with the 
ordinary frame rule and the rule of Consequence, then the system becomes inconsistent. The 
semantics of our system proves that if we drop the conjunction rule, then we get soundness 
of all higher-order frame rules, including the second-order one. We also show how to get 
soundness of all higher-order frame rules without dropping the conjunction rule, by instead 
restricting attention to so-called precise predicates (see Section [5]). 

In idealized algol, variables are allocated on a stack and they are mutable (i.e., one 
can assign to variables). We only consider immutable variables (as in the ML programming 
language) for simplicity. The reason for this choice is that all mutation then takes place in 
the heap and thus we need not bother with so-called modifies clauses on frame rules, which 
become complicated to state already for the second-order frame rule [9]. 

We now give an intuitive overview of the technical development. Recall that the stan- 
dard semantics of idealized algol is given using the category CPO of pointed complete partial 
orders and continuous functions. Thus types are interpreted as pointed complete partial 
orders and terms (programs) are interpreted as continuous functions. The semantics of our 
refined type system is given by refining the standard semantics. A type 9 in our refined 
type system specifies which elements of the "underlying" type in the standard semantics 
satisfy the specification corresponding to 8 and are appropriately local (to ensure sound- 
ness of the frame rules), that is, it "extracts" those elements. Moreover, the semantics also 
equates elements, which cannot be distinguished by clients, that is, it quotients some of the 
extracted elements. Corresponding to these two aspects of the semantics we introduce two 
categories, C and T>, where C just contains the extracted elements and T> is a quotient of C. 
Thus there is a faithful functor from C to CPO and a full functor from C to T>. We show that 
the categories C and T> are cartesian closed and have additional structure to interpret the 
higher-order frame rules, and that the mentioned functors preserve all this structure. The 
semantics of our type system is then given in the category T> and the functors relating C, T>, 
and CPO are then used to prove coherence of the semantics. In fact, as mentioned above, 
our type system is a dependent type theory, with dependent product type IL# intuitively 
corresponding to the specification given by universally quantifying i in the specification cor- 
responding to 9 (the usual Curry-Howard correspondence). For this reason the semantics 
is really not given in T> but rather in the family fibration Fam(T>) — > Set over T>. 

The remainder of this paper is organized as follows. In Section [21 we define the storage 
model and assertion language used in this paper, thus setting the stage for our model. In 
Section [3j we provide the syntax of the version of idealized algol we use in this paper. 
In particular, we introduce our separation-logic type system, which includes an extended 
subtype relation. We also include two extended examples of typings in our typing system, 
one of which exemplifies the use of a third-order frame rule. In Section SJ we present the 
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main contribution of the paper, a model which allows a sound interpretation, which we also 
show to be coherent and in harmony with the standard semantics. For simplicity, we omit 
treatment of the conjunction rule in Sections [3] and 0] — in Section [5] we show how to treat 
the conjunction rule. In the last sections we give pointers to related and future work, and 
conclude. 

An extended abstract of this paper was presented at the LICS 2005 conference. Com- 
pared to the conference paper, the present paper includes proofs, more detailed examples 
of the use of the typing system, and a treatment of the conjunction rule. 

2. Storage Model and Assertion Language 

We use the usual storage model of separation logic with one minor modification: we 
make explicit the shape of stack storage. Let Ids = {i, j, . . .} be a countably infinite set of 
variables, and let A range over finite subsets of Ids. We use the following semantic domains: 
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In this storage model, locations are positive integers, so that they can be manipulated by 
arithmetic operations. The set A models the set of variables in scope, and an element r\ 
in [A] specifies the values of those stack variables. We sometimes call r\ an environment 
instead of a stack, in order to emphasize that all variables are immutable. An element h 
in Heap denotes a heap; the domain of h specifies the set of allocated cells, and the actual 
action of h determines the contents of those allocated cells. We recall the disjointness 
predicate h#h' and the (partial) heap combination operator h ■ b! from separation logic. 
The predicate h^h' means that dom(/i) n dom(/i') = 0; and, h ■ h' is defined only for such 
disjoint heaps h and h' , and in that case, it denotes the combined heap h U h! . 

Properties of states are expressed using the assertion language of classical separation 
logic jlTj: 

E ::= i\$\l\E + E\E-E, 

p :: = E = E \ E^E | emp | P*P | true [ PAP | PVP | ^P | Vi.P. | 3i. P. 

The assertion E i— > E' means that the current heap has only one cell E and, moreover, that 
the content of the cell is E' . When we do not care about the contents, we write E i— > — ; 
formally, this is an abbreviation of 3i. E i— > i for some i not occurring in E. The next two 
assertions, emp and P*Q, are the most interesting features of this assertion language. The 
empty predicate emp means that the current heap is empty, and the separating conjunction 
P * Q means that the current heap can be partitioned into two parts, one satisfying P and 
another satisfying Q. 

As in the storage model, we make explicit which set of free variables we are considering 
an expression or an assertion under. Thus, letting fv be a function that takes an expression 
or an assertion and returns the set of free variables, we often write assertions as A h P to 



The assertion language of separation logic also contains the separating implication -* . Since that 
connective does not raise any new issues in connection with the present work, we omit it here. 
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indicate that fv(P) C A, and that P is currently being considered for environments of the 
shape A. Likewise, we often write A h E for expressions. 

The interpretations of an expression Ah J? and an assertion AhP are of the forms 

[A h Ej : [A] - Vol, [A h P] : [A] - P(#eap). 

The interpretation of expressions is standard, just like that of assertions. We include part 
of the definition of the interpretation of assertions here. 

lAh E^E% = if ([AhB], < 0) then else { [[A h£^[Ah £'],,]}, 

lAhemp], = {[]}, 

[AhP*P% = {/i./i'|/i#/i'Afee[AhF],A/i'e[AhF'y, 

[AhVi. Pj v = {h\Vne Val. he [Au{i}hP], M }. 

3. Programming Language 

The programming language is Reynolds's idealized algol [18J adapted for "separation- 
logic typing." It is a call-by-name typed lambda calculus, extended with heap operations, 
dependent functions, and Hoare-triple types. As explained in the introduction, we only 
consider immutable variables. 

The types of the language are defined as follows. We write A h 9 : Type for a type 9 in 
context A. The set of types is defined by the following inference rules (in which P and Q 
range over assertions): 

AhPAhQ Ahfl: Type A h P 

A h {P}-{Q} : Type A h 9 ® P : Type 

A U {i} h 9 : Type A h 9 : Type A h 9' : Type 

(« i A ) 

A h Ui9 : Type Ah9^9' : Type 

Note that the types are dependent types, in that they may depend on variables i (see 
the first rule above). One way to understand a type is to read it as a specification for terms, 
i.e., through the Curry-Howard correspondence. A Hoare-triple type {P}-{Q} is a direct 
import from separation logic; it denotes a set of commands c that satisfy the Hoare triple 
{P}c{Q}. An invariant extension 9 £ED P is satisfied by a term M if and only if for one part 
of the heap, the behavior of M satisfies 9 and for the other part of the heap, M maintains 
the invariant P. We remark that 9 <g> P allows M to transfer cells between the 0-part of 
the heap and the P-part of the heap. For instance, {P}-{Q} <S> Pq intuitively consists of 
the following commands c: given an input state satisfying P * Pq, so that the input state 
may be split into a P-part and a Po-part, command c changes these two parts, sometimes 
transferring cells between the two, such that in the end, the P-part satisfies Q and the 
Po-part satisfies Pq. 

The type Ili9 is a dependent product type, as in standard dependent type theory 
(under Curry-Howard it corresponds to the specification given by universally quantifying 
i in the specification corresponding to 9). Intuitively, Hi9 denotes functions from integers 
such that given an integer n, they return a value satisfying 9[n/i]. For example, the type 
nj{j i— > — ' — * il} specifies a factorial function that computes the factorial of i and stores 
the result in the heap cell j. 
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The pre-terms of the language are given by the following grammar: 

M::=x\ Xx: O.M \ MM \ Xi.M | ME 
| fixM | \fzEMM | skip | M;M 

leti = new in M \ free(P) \ [E] := E \ \eti = [E] in M, 

where E is an integer expression defined in Section [2j The language has the usual constructs 
for a higher-order imperative language with heap operations, but it has two distinct features. 
First, it treats the integer expressions as "second class": the terms M never have the 
integer type, and all integer expressions inside a term are from the separate grammar for 
E defined in Section [2j Second, no "integer variables" i can be modified in this language; 
only heap cells can be modified. Note that the language has two forms of abstraction and 
application, one for general terms and the other for integer expressions. A consequence of 
this stratification is that all integer expressions terminate, because the grammar for E does 
not contain the recursion operator. 

The language has four heap operations. Command let i = new in M allocates a heap cell, 
binds i to the address of the allocated cell, and executes the command An allocated 
cell % can be disposed by free(i). The remaining two commands access the content of a cell. 
The command [i] := E' changes the content of cell i by E'; and let j = [i] inM reads the 
content of cell i, binds j to the read value, and executes M. Note that the allocation and 
lookup commands involve the "continuation" , and make the bound variable available in the 
continuation; such indirect-style commands are needed because all variables are immutable. 

In this paper, we assume a hygiene condition on integer variables i, in order to avoid 
the (well-known) issue of variable capturing. That is, we assume that no terms or types in 
the paper use a single symbol i for more than one bound variables, or for a bound variable 
and a free variable at the same time. 

The typing rules of the language decide a judgment of the form T I~a M : 6, where 
r is a list of type assignments to identifiers T = x\: 6\, . . . , x n : 9 n , and where the set A 
contains all the free variables appearing in T, M, 9. 

The type system is shown in Figures Q] and [2j For notational simplicity we have omitted 
some obvious side-conditions of the form A h 9 : Type which ensure that, for a judgment 
r h~A M : 9, the set A always contains all the free variables appearing in V, M, 9, and that 
the type assignment T is always well-formed. There are three classes of rules. The first class 
consists of the rules from the simply typed lambda calculus extended with dependent prod- 
uct types and recursion. The second class consists of the rules for the imperative constructs, 
all of which come from separation logic. The last class consists of the subsumption rule 
based on the subtype relation ^a, which is the most interesting part of our type system. 
The proof rules for are shown in Figure They define a preorder between types with 
free variables in A, and include all the usual structural subtyping rules in the chapter 15 
of [13]. The rules specific to our system are: the covariant structural rule for 9 ® P\ the 
encoding of Consequence in Hoare logic; the generalized frame rule that adds an invariant 
to all types; and the distribution rules for an added invariant assertion. 

The generalized frame rule, 9 §5 Po, means that if a program satisfies 9 and an 
assertion Po does not "mention" any cells described by 6, then the program preserves Po. 
Note that this rule indicates that the types in our system are tight [5J [17]: if a program 
satisfies 6, it can only access heap cells "mentioned" in 9. This is why an assertion Pq for 



We consider single-cell allocation only in order to simplify the presentation; it is straightforward to adapt 
our results to a language with allocation of n consecutive cells. 
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r, x : 9 h A M : 9' Th A M : 9' ^9 T h A M' : 

T,x:9h A x:9 T h A \x: 9.M : 9 ^ 9' Th A MM':9 

T h Aum M : 9' r h A M : Ui9 Ah E Th A M : 9 -► 

-(^Mr,A)) 



r h A AIM : Ui9' Th A ME: 9[E/i] F h A fix M : 6 

r h A M : {P A E=0}-{Q} F\- A M' : {P AE^0}-{Q} Ah P 



T h A ifz EMM' : {P}-{Q} T h A skip : {P}-{P} 

r h A M : {P}-{P'} r h A M' : {P'}-{Q} Ah E 

T h A (M; M') : {P}-{Q} T h A free(P) : {P^-}-{emp} 

(i g fv(I\ A, P, Q)) 



r h A let i = newinM : {P}-{Q} ' V h A [E]:=E' : {E^-}-{E^E'} 

Th Au{i} M:{E^i*P}-{Q} ,.„ f/T , AC ,^ r h A M : 9 9 ^ A #' 

(z^fv(r,A,P,Q)) 



Th A leti=[P]inM: {3iPh^i*P}-{Q} " T h A M : 

Figure 1: Typing Rules 



Inference Rules 
9< A 9 9' < A 9" 9' ^ A 9 9 X < A 9[ 9 ^ Au{i} 9' 



- Ii4 A) 

^ A o" (9 -> ^) ^ A -> <?i) (n^) ^ A (n^') 

(9 ® P) r< A (0' ® P) {P}-{<3} r<A {P'HQ'} 

Axioms 

#^ A # 9< A 9®P 
{{P}-{Q}) ® -A {P * Po}-{<3 * P)} (n^) ® P ~ A 1^(0 ® P) (when igA) 
(0 ® Q) ® P ~ A (8) (Q * P) (0 — > 0') ® P ~ A (0 ® P — > 9 f <S> P) 

Figure 2: Rules for the Subtyping Relation ^ A 



"unmentioned" cells is preserved by the program. For instance, if a program M has a type 
of the form 

0! - . . . - n - {P}-{Q}, 
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the tightness of the type says that all the cells that M can directly access must appear in 
the pre-condition P. Thus, if no cells in an assertion Pq appear in P, program M maintains 
Po, as long as argument procedures maintain it. Such a fact can, indeed, be inferred by the 
generalized frame rule together with the distribution rules: 



Oi - 


>...^e n ^{p}-{Q} 




(v 9^ A 9®P ) 




^...^e n ^ {p}-{Q}) ® p 


^A 


{■: (9 -» 9') ® P < a (9®P ^9>® P )) 


(0i « 


5P ^...^^®F ^ {P}-{Q} ® Po) 


^A 


(•■• {P}-{Q} ® ^0 ^A {p * PoHQ * Po}) 


(9i 5 


5 p _> . . . _ e n ® p -» {p * PoHQ * Po}) 



The generalized frame rule, the distribution rules, and the structural subtyping rule for 
function types all together give many interesting higher-order frame rules, including the 
second-order frame rule. The common mechanism for obtaining such a rule is: first, add an 
invariant assertion by the generalized frame rule, and then, propagate the added assertion 
all the way down to a base triple type by the distribution rules. The structural subtyping 
rule for the function type allows us to apply this construction for a sub type-expression in 
an appropriate covariant or contravariant way. For instance, we can derive a third-order 
frame rule as follows: 

({PiHQi} - {P2HQ2}) - {P3HQ3} 

^A (V 9^A0®P) 

(({PlHQi} - {P2HQ2}) - {PsHQs}) ® p 

^A (V {0 — 9') ® P ~a {0 ® P — 9> ® P)) 

({PiHQi}®p -> {P2}-{Q2}®P) {p 3 }-{Q 3 }®p 

('-' structural subtyping) 

({PiHQi}®p {P2HQ2}) -> {p 3 }-{Q 3 }®p 

^A (••■ {P }-{Qo} ® P —A {Po * P}"{Qo * P}) 

({Pi*P}-{Qi*P} {P>HQ 2 }) -> {P 3 *P}-{Q 3 *P}. 

3.1. Example Proofs in the Type System. We illustrate how the type system works, 
with the verification of two example programs. 

The first example is a procedure that disposes a linked list. With this example we 
demonstrate how a standard proof in separation logic yields a typing in our type system. 
Let \st(i) be an assertion which expresses that the heap contains a linked list i terminating 
with 0, and all the cells in the heap are in the listi We define a procedure Dlist for list 
disposal as follows: 

Dlist d = fix A/: (IIi{lst(t)}-{emp}). (A*, if z * (skip) (letj = [i] in/(j);free(i))). 

The program Dlist takes a linked list i, and disposes the list, first the tail and then the 
head of the list. 

^Formally, lst(i) is the (parameterized) assertion that satisfies the equivalence: 

lst(i) -<=>■ (i = A emp) V (3j. (i ^ j) * lst(j)) 
— it can be defined as the minimal fixed point, expressible in higher-order separation logic [3|- 
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We derive the typing judgment h{} Dlist : (IL{lst(i)}-{emp}). Note that this derivation 
captures the correctness of Dlist, because the judgment means that when Dlist is given a 
linked list i gument, then it disposes all the cells in the list. 

The main part of the derivation is a proof tree for the false branch of the conditional 
statement. Let T be /: (Hj{lst(«)}-{emp}). The proof tree for the false branch is given 
below: 



r h fa - } / : n,{lst(i)}-{emp} 

r f(j) ■ {lst(j)}-{emp} ^ T free(i) : {i^-}-{emp} 
r f(j) ■ {i^j * \st(j)}-{i^j} r h {iJ} free(i) : {i^j}-{emp} 

r (/(j);free(i)) : {i^j * lst(j)}-{emp} 

r (\etj=\i] \nf(j);free(i)) : * lst(j)}-{emp} 

r h {i} (let j=[i] in/C?);free(i)) : {lst(i) A #0}-{emp} 

Most of the steps in this tree use syntax-directed rules, such as those for the sequential 
composition and procedure application. The only exceptions are the steps marked by 1, 
2 and 3, where we apply the subsumption rule. These steps express structural rules in 
separation logic. Step 1 is an instance of the ordinary frame rule, and attaches the invariant 
to the pre- and post-conditions of the triple type {lst(j)}-{emp}. The other steps 
are an instance of Consequence. Step 2 strengthens the pre-condition of {ii— }-{emp}, 
and step 3 replaces the pre-condition of * lst(j)}-{emp} by the equivalent assertion 

I st ( j ) A i^O. In the tree above, we have not shown how to derive the necessary subtype 
relations in 1, 2 and 3. They are straightforward to derive: 

{lst(j)}-{emp}^ {i . j} ({lst(i)}-{emp})0i^i (v 9 < A 6 ® R) 

{lst(j) * ii-jHemp * w-j} (••• { p HQ} ®R -A {P* R}-{Q * R}) 
± {i>j} {i^j * IstOOH^i} (•.• Vr?. IP*Q} V = {Q*P} V A [emp*P]„ = 

{^-}-{emp} r<{i,j} {^j}-{emp} (■.• Vr?. {i^j\ r! Q [i^-j v ) 

{Bj.i^j * lst(i)}-{emp} r< {l} {lst(i) A #0}-{emp} (•/ Vr?. llj.i^j*\st(j)} v = [lst(i) A i^0j v ). 

The complete derivation of hn Dlist : rij{lst(i)}-{emp} is shown in Figure [3j 

The second example is a client program that uses a randomized memory manager. The 
verification of this program demonstrates the use of a third-order frame rule. 

The randomized memory manager is a module with two methods, Malloc for allocating 
a cell and Mfree for deallocating a cell. The memory manager maintains a free list whose 
starting address is stored in the cell I. When Malloc is called, the module first checks this 
free list [/]. If the free list is not empty, Malloc takes one cell from the list and returns it 
to the client. Otherwise, Malloc makes a system call, obtains a new cell from the operating 
system, and returns this cell to the client. When Mfree is called to deallocate cell i, the 
randomized memory manager first flips a coin. Then, depending on the result of the coin, 
it either adds the cell i to the free list or returns the cell to the operating system. Note 
that randomization is used only in Mfree. We will focus on the method Mfree. 

Let inv(7) be the assertion 31' . (lt—>l') * Ist(i'), which expresses that cell / stores the 
starting address of a linked list. The following program implements the Mfree method of 
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r h {iJ} /:n i {lst(i)}-{emp} 

r /(i):{lst(j)}-{emp} ^ T h {ij} free(i):{^-}-{emp} 



r f(j):{i^j * \st(j)}-{i^j} T h {i)i} free(i):{^}-{emp} 

r (/(j);free(i)):{ii->j * lst(j)}-{emp} 



r h {j:} letj=[i] in (/(j);free(i)):{3j.«Wj * lst(j)}-{emp} T h {i} skip:{emp}-{emp} 

3 



T h {l} let j=[i] in (/(j); free(i)):{lst(i) A i^0}-{emp} T h {i} skip:{lst(z) A ^=0}-{emp} 

Th w (ifei (skip) (let j=[i] in (/C?);free(i)))):{lst(i)}-{emp} 

rh {} (Az. ifz z (skip) (letj=[i]in(/C?);free(»)))):n i {lst(i)}-{emp} 

h {} (A/.Ai. ifz i (skip) (leti=[i]in(/(j);free(i)))):(n i {lst(i)}-{emp}) (n j {lst(z)}-{emp}) 

h {} I}fei:IIj{lst(i)}-{errip} 

In the tree, T is /: IIj{lst(i)}-{emp}; and at 1 - 4 of the tree, the subsumption rule is 
used with the following subtype relations: 

{lst(j)}-{emp} {i^j * lst(j)}-{«->j} 

{i^-}-{emp} {f^j}-{emp} 

{3j-it->3 * lst(j)}-{emp} {lst(i) A ^0}-{emp} 

{emp}-{emp} ^.^y {lst(i) A i=0}-{emp} 

Figure 3: Derivation of the Typing Judgment hjj Dlist : n,,{lst(i)}-{emp} 



the randomized memory manager: 

Mfree : (n;{ii->-}-{emp})) ® inv(Z) 

M/ree = f Ac/Zip. A*, c/Kp(«); let i'=\i] in (ifz i' (free(i)) (let /'=[/] in ([t]:=f; [i]:=* 



Note that before disposing cell i, method Mfree uses the cell to store the result of flipping a 
coin by calling cflip with i. The declared type of the method Mfree has the form 6 <g> inv(Z). 
The 9 part expresses that the method has the expected behavior externally, and the inv(Z) 
part indicates that it maintains the module invariant internally. The derivation of the 
declared type is shown in Figure [H 

We now consider the following client of the randomized memory manager. 

Rd : Ik{ih^-}-{i^-} 

Rd = f At. Ieti' = [i] in [*]:=i'+l 

Client : }-{£>— } — > Hi{it—>— }-{emp}) — > >— }-{emp} 

Client = f Xmfree. (mfree Rd j) 

The client Client takes a "randomized" method mfree for deallocating a cell. Then, it instan- 
tiates the method with the (degenerate) "random function" Rd, and calls the instantiated 
method to dispose cell j. Suppose that Client is "linked" with the Mfree of the randomized 
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Consider T, A such that cflip dom(T) and A but / G A. Define T', FBranch, 

and Body as follows: 

T = f r, cflip: Ui{i^-}-{i^-} 
FBranch = f \etl'=[l] in ([«]:=*'; [/]:=*) 

i?ocfa/ = f let i'=[«] in (ifz (free(i)) FBranch) 
The term Mfree and its subterms FBranch and -Body are typed as follows: 

T' K Au{i , v , } \i]:=l':{i^-}-{i^l'} V h Au{MV , } [Z]:=i:{Z,->-}-{i,-t} 

1 2 

T' l"Au{i,i',J'} [i]:=i':{ii-^-*ii-^-}-{/t->-*i"-^i'} r' \- A u{i,i',l>} [l]:=i:{lt->-*i*->l'}-{li-+i*i>->l'} 

T' ^Au{i,i',i'} ([*]:=/'; 

r' h Au)u , F} ([*]:=!'; [Z]:=i):{^?'«^'*lst(?')}-{/^«^^*lst(/')} 

T' l~Au{i let Z'=[Z] in (\i]:=l'; [l]:=i):{3l' . l<->l'*i^i'*\st(l')}-{l^i*ii-+l'*\st(l')} 

4 

T' l-Au{i/} -FBranc/i:{ii->i'*inv(0 A i'^0}-{m\j(l)} 

T' h Au{ij! , } free(i):{it->-}-{emp} 
— 5 

r' I~au{m'} free(i):{ii->i'*inv(Z) A i'=0}-{inv(2)} T' \- Au{i>i , } FBranch:{ii-^i'*\n\/{l) A iV0}-{inv(Z)} 

T' ^Au{i,i'} (ifz z' (free(i)) F5ranc/i):{ii->i'*inv(/)}-{inv(/)} 

T' \~Aum leti'=[i] in (ifz i' (free(i)) F5roncft):{3i'ii-^i'*inv(0}-{inv(0} 

— 6 

T' ^Au{t} Body:{ii-»— *inv(/)}-{inv(/)} 

T' l~Au{i} cflip(i):{ih-*-}-{ii-*-} 
— 7 

T' l"Au{i} c/Zip(z):{ii-^-*inv(/)}-{ii-^-*inv(Z)} T' h Au {;} 5ocfy:{i^-*inv(Z)}-{inv(Z)} 
T' l"Au{i} c/iip(i);Body:{ii-f-*inv(/)}-{inv(/)} 
r' Ka Ai. cflip (i); Body:Tli{i^— *inv(Z)}-{inv(Z)} 
ri-A M/TEe:(lIi{ii-f-*inv(/)}-{w->-*inv(0}) -> (n j; {^-*inv(0}-{inv(Z)}) 
r h A Mfree: ((n^i^-}-^-}) (n !; {^-}-{emp}) 1 ® inv(Z) 
where the steps marked by 1-8 use the subsumption rule. 

Figure 4: Derivation of the Typing Judgment for Mfree 



memory manager, that is, that it is applied to Mfree. We prove the correctness of this 
application by deriving the typing judgment {Client Mfree) : {jt— >— * inv(/)}-{inv(/)}. 

The derivation of the mentioned typing judgment consists of three parts: the sub proof- 
trees for Mfree and Client, and the part that links these two proof trees. The sub proof-trees 
for Mfree and Client are shown in Figures U] and [5j Note that the internal free list [I] of the 
memory manager does not appear in the proof tree for Client in Figure [SJ all the rules in 
the tree concern just cell j, the only cell that Client directly manipulates. 
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r\-{jjymfree:ILi{i\-*-}-{ii->-}— >II i {ii->-}-{emp} 



Th {jihiii , } [i\:=i'+l:{i^-}-{i^i'+l} ^ 
T\- w ^ } [i]:=i'+l:{i^i'}-{i^-} 
r\- Wii} \eti'=[i] in [i]:=i' +l:{3i' . i^>i'}-{i^-} 
T\- Wti} \eti'=\i]\n[i\:=i'+l:{i^-}-{i^-} 
r\- W} Rd:Ui{i^-}-{i^-} 



Thfjiymfree Rd:Wi{i^>— }-{emp} 

r\- {jJ} mfree Rd j:{jW-}-{emp} 

Client:(Ui{ii-^-}-{ih^-} -> IIj{ii->-}-{emp}) —> {jh^-}-{emp} 

where T is mfree: }-{i>— >— } — ► Ui{it—>— }-{emp}. In the tree, the subsumption 
rule is applied at 1 and 2, and in both cases, it uses subtype relations that express 

Consequence. 

Figure 5: Typing Derivation for Client 



It is the third-order frame rule that lets us ignore the internal free list [I] of the memory 
manager when constructing the proof tree for Client. The third-order frame rule adds the 
missing free list [I] to the derived type for Client, so that we can link Client with Mfree, 
without producing a type error. More precisely, the rule allows the following derivation: 

h {j)i} Client : (11, — — } -> IT{ii-^-}-{emp}) -> {j^- }-{emp} ^ 
\~{j t iy Client : ((IIj{zi— >— } — ► }-{emp}) ® inv(Z)) — > {ji— >— *inv(Z)}-{inv(Z)} 

'"{J,;} Client Mfree : >— * inv(Z)}-{inv(Z)} 

Here the step marked by 1 is an instance of the third-order frame rule, and it applies the 
subsumption rule with the subtype relation proved below: 

(Ui{i^-}-{i^-} -> IT{i^-}-{emp}) -> {>->-}-{emp} 

=< W} (■•• 9<±6®P) 

^(Ilj } -> IIj{zi-^-}-{emp}) -> {jW-}-{emp}) (g) inv(/) 
^{j,0 (•■' (0^0')®P~ A (9®P^9'®P)) 

(^{Ui{i^-}-{i^-} -> Ui{i^-}-{emp}) <g) inv(Z)) -> ({jW-}-{emp} <g) inv(Z)) 

(•■• {^HQ} ® ^ —A {P * i?}-{Q * R}) 
^(ilj } — > >— }-{emp}) <8) inv(Z)^ — > * inv(Z)}-{emp * inv(Z)} 

^W} (•■• V? ?- 1^ = l p * em *,) 

^ (Ili {«•—»- — }- {*•—»• — } -> IIj{ii-^-}-{emp}) (8) inv(Z)) -> * inv(Z)}-{inv(Z)}. 
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4. Semantics 

In this section we present our main contribution, the semantics that formalizes the 
underlying intuitions of the separation-logic type system. In particular, we formalize the 
following three intuitive properties of the type system: 

(1) The types in the separation-logic type system refine the conventional types. A 
separation-logic type specifies a stronger property of a term, and restricts clients of 
such terms by asking them to only depend upon what can be known from the type. 
For instance, the type {1 i— > 3}-{l i— > 0} of a term M indicates not just that M is a 
command, but also that M stores to cell 1 if cell 1 contains 3 initially. Moreover, 
this type forces clients to run M only when cell 1 contains 3. 

(2) The higher-order frame rules in the type system imply that all programs behave 
locally. 

(3) The type system, however, does not change the computational behavior of each 
program. 

We formalize the first intuitive property by means of partial equivalence relations. Roughly, 
each type 9 in our semantics determines a partial equivalence relation (in short, per) over 
the meaning of the "underlying type" 9. The domain of a per over a set A is a subset 
of A; this indicates that 9 indeed specifies a stronger property than 9. The other part 
of a per, namely the equivalence relation part, explains that the type system restricts the 
clients, so that no type-checked clients can tell apart two equivalent programs. For instance, 
{1 i— > 3}-{l i— > 0} determines a per over the set of all commands. The domain of this per 
consists of commands satisfying {1 ^ 3}-{l i— > 0}, and the per equates two such commands 
if they behave identically when cell 1 contains 3 initially. The equivalence relation implies 
that type-checked clients run a command of {1 i— > 3}-{l i— > 0} only when cell 1 contains 3. 

We justify the other two intuitive properties by proving technical lemmas about our 
semantics. For number 2, we prove the soundness of all the subtyping rules, including 
the generalized frame rule and the distribution rules. For number 3, we prove that our 
semantics has been obtained by extracting and then quotienting semantic elements in the 
conventional semantics; yet, this extraction and quotienting does not reduce the computa- 
tional information of semantic elements. 

In this section, we first define categories C and T>, corresponding to the extraction and 
quotienting, respectively. Next we give the interpretation of types and terms. Finally, we 
connect our semantics with the conventional semantics, and prove that our semantics is 
indeed obtained by extracting and quotienting from the conventional semantics. 

To make the paper accessible for a wider audience, we have decided to present the 
categories C and T> and the proofs of their properties in a very concrete way — it is possible 
to give equivalent, but more abstract, descriptions of C and T> and use known abstract 
results ^From category theory to prove some of their properties (e.g., cartesian closure). 
For simplicity, we use the Hoare powerdomain to model the nondeterminism of commands 
in the semantics. Our results can be adapted to other alternatives, such as the Plotkin 
powerdomain for countable nondeterminism, using the idea from the chapter 9.3.2 of [23J. 

4.1. Categories C and D. We construct C and T> by modifying the category CPO of 
pointed epos and continuous functions. For C, we impose a parameterized per on each cpo, 
and extract only those morphisms in CPO that preserve such pers (at all instantiations). 
The pers formalize that each type 9 corresponds to a specification over the underlying 
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type 9, and the preservation of the pers guarantees that all the morphisms in C satisfy 
the corresponding specifications. The parameterization of each per gives an additional 
guarantee that all morphisms in C behave locally (in the sense of higher-order frame rules). 
The other category V is a quotient of C. Intuitively, the quotienting of C reflects that 
our type system also restricts the clients of a term; thus, more terms become equivalent 
observationally. 

We define the "extracting" category C first. Let Pred be the set of predicates, i.e., 
subsets of Heap. We recall the semantic version of separating connectives, emp and *, on 
Pred. For p,q G Pred, 

h G emp <J=^ h = Xn.undef, 

h G p * q 3h\h2- hi ■ hi = h A hi G p A h,2 G q. 

The category C is defined as follows: 

• objects: (A, R) where A is a pointed cpo, and R is a family of admissible per^ 
indexed by predicates such that 

Vp, q G Pred. R(p) Q R(p * q); 

• morphisms: /: (A, R) — > (B, S) is a continuous function from A to B such that 

Vp G Pred. f[R(p) - S(p)]f, 
i.e., / maps R(p) related elements to S(p) related elements. 

Intuitively, an object (A, R) denotes a specification parameterized by invariant extension. 
The first component A denotes the underlying set from which we select "correct" elements. 
R(emp) denotes the initial specification of this object where no invariant is added by the 
frame rule. The domain \R(emp)\ of per R(emp) indicates which elements satisfy the 
specification, and the equivalence relation on \R(emp)\ expresses how the specification is 
also used to limit the interaction of a client: the client can only do what the specification 
guarantees, so more elements become equivalent observationally. The per R{p) at another 
predicate p denotes an extended specification by the invariant p. 

We illustrate the intuition of C with a "Hoare-triple" object \p,q] for p,q G Pred. Let 
comm be the set of all functions c from Heap to V{Heap U {wrong}) that satisfy safety 
monotonicity and the frame property: 

• Safety Monotonicity: for all h, ho G State, if h#ho and wrong G" c{h), then wrong g" 
c(h ■ h ); 

• Frame Property: for all h,ho,h! x G State, if h#ho, wrong c(h), and h[ G c(h ■ ho), 
then there exists h! such that h[ = h' • ho and h' G c{h). 

The above two properties are from the work on separation logic, and they form a sufficient 
and necessary condition that commands satisfy the (first-order) frame rule [23]. Note that 
the safety monotonicity and frame property are equivalent to the following condition!! 

if /i#/io and wrong isn't in c(h), then c(h ■ ho) C {h! ■ ho \ h' G c{h) and h'#ho}. 
A per Ro on A is admissible iff (_L, _L) £ -Ro and Ro is a sub-cpo of A x A. 

^The inclusion is one way only. For a counterexample, consider two disjoint heaps /i=[l-fO] and ho = [2^0] 
and the command 

h let j=newin (free(j); (ifz (j-2) ([1] := 5) ([1] := 6))) : {1 ^ -}-{l ^ -}. 

When this command is run in h, it nondeterministically assigns 5 or 6 to location 1, but when it is run in a 
bigger heap h ■ ho, the command always assigns 6 to the same location. 
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The set comm is the first component of the Hoare-triple object [p, q], where the order on 
comm is given by: 

Vh.c(h) c d{h). 

The real meaning of [p, q] is given by the second component R. For each predicate po, 
the domain of R(po) consists of all "commands" in comm that satisfy {p *po}-{q * po}- 

c £ \R(po)\ \/h £ p * p . c(h) C q * p . 

The equivalence relation R(po) relates c and d in |-R(po)| iff c and d behave the same for 
the inputs in p * po * true: 

true = {h | h € Heap} 

c[R(po)]d -4=^ V/i G p * po * irue. c(/i) = c'(/i). 

This equivalence relation means that the type system allows a client to execute c or d in /i 
only when h satisfies p * po * p' for some p', which is added by the frame rule. We remark 
that the * operator in the definition of \R(po)\ is allowed to partition the heap differently 
before and after the execution of c. For instance, when 

p = {[l-l]}, q = {[2-0]}, andp = {[2-0,3-0], [1-0,3-1]}, 

the initial heap h in the definition is split into cell 1 for p and cells 2, 3 for po, but the final 
heap is split into cell 2 for q and cells 1,3 for po. 

The category C is cartesian closed, has all small products, and contains the least fixpoint 
operator. The terminal object is ({-L}, CR) where CR(p) is {(_L, _L)} for all p, and the small 
products are given pointwise; for instance, (A, R) x (B, S) is (A x B, {R(p) x S(p)} p ). The 
exponential of (A, R) and (B, S) is subtle, and its per component involves the quantification 
over all predicates. The cpo component of the exponential (A, R) =>■ (B, S) is the continuous 
function space A => B, and the per component of (A,R) (B,S), denoted R S, is 
defined as follows: 

f€\(R=>S)(p)\ Vq£Pred.f[R(p*q)^S( P *q)]f, 

f[(R=>S)(p)]g f,ge\(R^S)(p)\ A Vq € Pred. f[R(p * q) -> S(p * q)]g. 

Note that the right hand sides of the above equivalences quantify over all ^-extension p * q 
of p. This quantification ensures that R => S satisfies the requirement 

Vp,p' G Pred. {R S){p) C (i? ^ S)(p*p') 

in the category C. 

Lemma 4.1. C is cartesian closed, and has all small products. 

Proof. First, we prove that for every (small) family {(Ai, Ri)}i^j of objects in C, its product 
is (Ui£iAi, Hi e jRi) and the i-th projection tt-i is \x.x(i). Here we write (U ie QAi, U^Ri) for 
({-L}, CR). It is straightforward to show that (IIj e j^,IIj e jJ2j) is an object in C and 7Tj is a 
morphism in C. So, we focus on proving the usual universality requirement for the product. 
Consider an object (B,S) and a family fi : (B,S) — > (Ai,Ri) ieI of morphisms in C. We 
need to prove that there exists a unique morphism /c from (B, S) to (IljgjAj, Iljg/i^j), such 
that 

Vi G /. fi = TTi o k. 

The above formula is equivalent to saying that k is g = Xb.Xi.fi(b). In particular, when 
/ = 0, k has to be the unique function g' = A6._L. Note that these characterizations give 
the uniqueness of k. We prove the existence of k, by showing that g and g' are morphisms 
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in C. The continuity of g and g' is well-known. The relation preservation of g' also easily 
follows, since CR is a family of complete relations. For the relation preservation of g, we 
use the fact that /j's are the morphisms in C. Pick an arbitrary predicate p, and choose 
b,b' from B such that b[S(p)]b'. Then, 

Vi € /. fi(b)[Ri(p)]fi(l/) ^ Vi € /. (/(6)(i) [22i(p)] (/(&')(») (•.■ the definition of g) 

<=> g(b)[(U ieI Ri)( P )]g(b') {■: the definition of U ieI Ri). 

Next, we prove that (A ^ B,R^ S) is an exponential of (A, R) and (B, S), with the 
evaluation morphism ev = A(/, x).f(x). It is straightforward to prove that ev is a morphism 
in C and (A =4* B, R => S) is an object in C. So, we focus on the universality requirement 
for the exponentials. Consider a morphism /: (C, T) x (A,R) — > (B,S) in C. We need to 
show that there exists a unique morphism curry(/) : (C,T) —> (A=> B,R=> S) such that 

V(c, a) € C x A. /(c, a) = ev(curry(/)(c), a). 

Since ev(curry(/)(c), a) = curry(/)(c)(a), the above is equivalent to curry(/) = Xc.Xa.f(c, a). 
Note that this characterizes curry(/) completely, so it gives the uniqueness of curry(/). It 
remains to prove that curry(/) is a morphism in C. It is well-known that curry(/) is a 
continuous function from C to A B. Thus, we only prove the relation preservation of 
curry(/), using the fact that f[T(p) x R(p) — > S(p)]f for all p. Pick arbitrary predicate 
p and c, c' in C such that c[T(p)]c'. Then, for all predicates q, we have that c[T(p * q)]c' ', 
because T(p) C T(p * g). Thus, 

Vg.Va,a'€Ao[i2(p*g)]a' =^ /(c, a)[5(p * q)\f{d, a') 

('.' the definition o£ R => S) 
(\a.f(c,a))[(R=> S){p)](Xa'.f(c',a')) 
^=^> (y the definition of curry(/)) 
curr y (/)(c)[( J R^ < S)(p)]curr y (/)( C '). 

□ 

Lemma 4.2. For every object (A, R) in C, the least fixpoint operator Ifix^ : [A A] — > A 
on A is a morphism in C. 

Proof. Pick arbitrary predicate p, and continuous functions f,g of type A — > A, such 
that f[{R => R)(p)]g; equivalently, f[R(p * q) — > * g)]<7 for all q. We need to show 
that lfix(/)[i?(p)]lfix(<7). Note that since R is admissible, it is sufficient to prove that 
f k (±)[R(p)]g k (±) for all k > 0. This sufficient condition holds because f[R(p) R(p)]g 
and ±[R(p)]±. □ 

Another important feature of C is that it validates higher-order frame rules. Let V r be 
the preorder (Pred, C) with C defined by predicate extension: 

p □ r <J=^> 3<7.p * q = r. 

Category C has an "invariant-extension" functor inv from C x V r to C defined by: 

inv((A,i2),p) = (A,fl(p*-)) and inv(/,p C g) = /. 

Functor inv corresponds to the type constructor <g> in our language; given a "type" (A, R) 
and a predicate p, inv extends (A, R) by adding the invariant p. For instance, when a triple 
object \p' , q'\ is extended with p, it becomes [p' * p,q' * p\. 

Functor inv validates the subtyping rules that express higher-order frame rules: the 
generalized frame rule 9 9®P and the rules for distributing (g> over each type constructor. 
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We first show that the functoriality of inv gives the soundness of the generalized frame rule. 
Note that emp C p for all predicates p, and that inv(— , emp) is the identity functor on C. 
Thus, for each (A, R), the functoriality of inv gives a morphism from (A, R) to inv((A, R),p). 
This morphism gives the soundness of the subtyping rule 6 <8> P- 

The soundness of the other distribution rules follows from the fact that for all p, inv(— ,p) 
preserves most of the structure of C. For instance, inv(— ,p) preserves the exponential of C, 
because for all objects (A, R) and (B, S) and all predicates q, we have that 

f[(R(p*-)^S(p*-))(q)]g yq'.f[R( P *(q*q'))^S(p*(q*q'))}g 

Vq'.f[R(( P * q) * q') -> S((p * q) * q')]g 
f[(R^S)(p*q)]g. 

Lemma 4.3. For each predicate p, inv(— ,p) preserves the cartesian closed structure and 
all the small products of C on the nose. 

Proof. It is sufficient to prove that inv(— ,p) preserves exponential objects, small product 
objects, evaluation morphisms, and projection morphisms. First, we prove the preservation 
of the small product objects and projection morphisms. Consider a family {(Ai, i?j)}j e / of 
objects in C. The following shows that the product IIj e j(-Aj, Ri) of this family is preserved 
by inv(-,p): 

inv(ilj g /(^4j, Ri), p) = inv((ili G /^4j, Hi & jRi), p) (y the definition of products in C) 
= (Ui e jAi, {U.i £ jRi)(p * —)) (•.■ the definition of inv) 

= (U l€l Ai, U^iRiip*-))) 
= U ieI (Ai, Ri(p*-)) 

= rij e /(inv((ylj, Ri), p)) (y the definition of inv). 

Since inv(/, p) = f, functor inv preserves the i-th. projection from Hi^j(Ai, Ri). 

Next, we show that inv(— ,p) preserves the exponential objects and evaluation mor- 
phisms in C. Let (A,R) and (B,S) be objects in C. By what we have shown before this 
lemma, we have that 

(R=>S)(p*-) = R(p*-) => S(p*-). 

^From this follows the preservation of exponential objects: 

inv ((A, R) (B, S), p) = inv ((A B, S), p) (•.■ Def. of exponentials in C) 

= (A=>B, (R^ S)(p * -)) (•.• Def. of inv) 
= lA=>B, (R(j,*-)=>S(p*-))) 

= (A, R(p * -)) [B, S(p * -)) (y Def. of exponentials in C) 

= \m((A,R),p) \nv((B,S),p) (v Def. of inv). 

Functor inv(— ,p) preserves the the evaluation morphism ev for (A,R) =>■ (B,S), because 
inv(— ,p) preserves the products and exponentials and \nv(f,p) only changes the type of /, 
not modifying its "meaning" (i.e., inv(/,p) = /). □ 

Lemma 4.4. For all predicates p and q, inv(— ,p) o inv(— , q) = inv(— ,p * q). 

Proof. Both inv(— ,p) o inv(— ,q) and inv(— ,p * q) map a morphism / to the same / with 
perhaps different domain and codomain. Thus, if they act the same on the objects in C, 
they must act the same on the morphisms. In fact, they do act the same on the objects; 
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for each (A, R) in C, 

(inv(— ,p) o inv(— , q)){A, R) = (A, R(p * (q * —))) (v the definition of inv) 

= (A, R((p * q) * —)) ('.' * is associative) 

= inv(— ,p * q)(A, R) (v the definition of inv). 

□ 

For now, the final remark on C is that the triple-object generator [— , — ] can be made 
into a functor, whose morphism action validates the subtyping rule for Consequence. Let V 
be the set of predicates ordered by the subset inclusion C. Generator [— , — ] can be extended 
to a functor tri from V op x V to C: 

tri(p, q) = [p, q] and tn(p Qp,qQ q')(c) = c. 

Note that tri is contravariant in the first argument and covariant on the second argument. 
This mixed variance reflects that the pre-condition of a triple can be strengthened, and 
the post-condition can be weakened; thus, it validates the subtyping rule for Consequence. 
We also note that the subtyping rule that moves an invariant assertion into the pre- and 
post-conditions is sound. 

Lemma 4.5. For each predicate p, let — *p: V — > V be a functor that maps a predicate q 
to q*p. Then, 

inv(— ,p) o tri = tri(— *p, — *p). 

Proof. Both inv(— ,p) otri and tri ( — *p, — *p) map the morphisms in V op x V to inclusions 
between pointed epos. Thus, it is sufficient to prove that inv(— ,p) o tri and tri(— * p, — *p) 
act the same on objects. Pick an arbitrary object (p' , q') in V op x V. Then, by the definition 
of inv and tri, there exist families R, S of pers such that 

(comm, R) = (inv(— ,p) o tri) (p', q') and (comm, S) = (tri ( — *p, — *p))(p, q ). 

Thus, to prove (inv(— ,p) otri)(j/, q') = (tri ( — *p, — *p))(p', q'), we only need to show R = S. 
For each predicate po, the domains of R(po) and S(po) are the same, because 

c e \R(po)\ <^=^ V7i <G p' * (p * po). c(h) C q' * (p * p ) (•.■ Def. of inv(tri(j/, q'),p)) 
V/i G (p' * p) * po- c(h) C (q' * p) * po ('.' * is associative) 

•i==> ce\S(po)\ ('.' Def. of tr'\(p' *p, q' *p)). 

And, R(po) and S(po) specify the same relation on their domains, because 

c[R(pq)]c' ^=^> V/i G p' * (p * po) * true. c{h) = c'(h) (v Def. of inv(tri(p', q'),p)) 
^=^> V7i G (p' *p) *po * true. c(h) = c'(h) (v * is associative) 

c[S(p )]c l (■: Def. of tri(p' *p,q' *p)). 

□ 

The category T> is obtained from C by equating morphisms according to an equivalence 
relation ~. Morphisms / and g in C[(A, R), (B, S)} are related by ~ iff 

Vp G Pred. f[R{p) -> S(p)]g. 

~ is an equivalence relation; it is reflexive, because every morphism in C[(A, R), (B, S)] 
should map i?(p)-related elements to 5(p)-related elements, for all p; it is symmetric and 
transitive because, for all p, R(p) and S(p) are symmetric and transitive. The interesting 
property of ~ is that it is preserved by all the structure of C: 

Lemma 4.6 (Preservation). The relation ~ is preserved by the following operators in C: 
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• the functor inv( — ,p C q) on C, for all predicates p, q such that p C q; 

• the composition of morphisms; 

• the currying of morphisms; and 

• the pairing into all the small products. 

Proof. First, we prove the preservation by inv. Let p and q be predicates such that p C q. 
Pick arbitrary two morphisms f,g: (A,R) — > (B,S) in C such that / ~ g. We will show 
that inv(/,p C q) ~ inv(g,p C g). Morphism inv(/,p C g) and inv(<7,p C q) both have the 
type (A, R(p * — )) — > (B,S(q* — )). Thus, proving inv(/,p C ~ inv(g,p C g) amounts to 
showing the formula: 

Vr £ Pred. f[R(p * r) — > S(q * r)]g. 
The formula holds, because f[R(p * r) — > S"(p * r)]g and S"(p * r) C 5(5 * r) for all r. 

Second, we prove the preservation by the composition of morphisms. Consider mor- 
phisms /, f : (A, R) -> (B, S) and g, g' : (B, S) -» (C, T) such that / ~ /' and 5 ~ 5'. Then, 
for all predicates p and all a, a' £ A such that a[i?(p)]a', we have that f(a)[S(p)]f'(a'), so 
5 (/(a))[T(p)b'(/V)). This proves that (g o /) ~ (</ o /'). 

Third, we show the preservation by the currying operator. Consider morphisms /, /' 
from (C, T) x (A, i?) to (B, S), such that / ~ /'. Pick an arbitrary predicate p, and choose 
T(j>)-related c, d from C. Then, for all predicates q, we have that c[T(p * q)]d, because 
T(p) C T(p * q). Thus, 

Vg.Va, a' £ A. a[R{p * q)]a' => /(c, a) [5(p * g)]/'(c', a') 

('.' the definition of R =4> S 1 ) 
(Aa./(c, a)) [(22 S)(p)] (Aa'./'(c', a')) 
<==> ('." the definition of curry(/)) 
curry(/)(c)[(i2^5)(p)]curry(/0(c / ) 

What we have just proved shows that curry (/) ~ curry(/'). 

Finally, we prove the preservation by the pairing into the small products. Consider 
a family {(Ai, Ri)}i & j of objects in C. Pick two families of morphisms in C, and 
{fl}iei, such that 

Vie I. fn (B,S)^(A i ,R i ), fl: (B,S)^(A t ,R l ), and /< ~ //. 
We need to show the following equivalence: 

(Xb: B.Xi: J./i(6)) ~ (A?/: B.Ai: I./fti/)). 
For all predicates p and all 6, 6' in B such that 6[5'(p)]6 / , we have that 

ViZl.fi{b)[Ri{p)\fW). 

Thus, 

(Az:/./ i (6))[(n ie/j Ri)(p)](Ai:I./^ / ))- 
This relationship gives the required equivalence. □ 

Lemma 14.61 ensures that taking a quotient of morphisms in C gives a well-defined cate- 
gory, which we call T>. Category T> inherits all the interesting structure of C by Lemma 14.6} 
it is cartesian closed, has all small products, and has a functor inv': T> x V r — > T> that pre- 
serves the CCC structure and the small products of T>. Let E be the "quotienting" functor 
from C to T>, and tri' : V op x V — > 2? the composition of I? with tri. We summarize the main 
property of T> in the following two lemmas: 
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Lemma 4.7. The category V is a CCC with all small products, and has two functors 
inv' : V x V r -> V and tri' : V op xV —>V such that 

(1) inv'(— ,p) preserves all the CCC structure and the small products ofT>; 

(2) inv'(— ,p) o inv'(— , q) = inv'(— ,p * q); and 

(3) inv'(— ,p) otri' = tri'(— *p, — *p). 

Proof. First, we prove that V has all the small products. Let {(-Aj, Ri)}i£i be a small family 
of objects in V. We show that the product of this family is (ILg/Aj, Hi e iRi) and the i-th 
projection is [iti], where [/] means the equivalence class of the morphism /. Consider an 
arbitrary family {[fi] : (B, S) — > (Ai, Ri)}iel of morphisms in V. This family induces some 
family {fi}iei in C. Since (IIj e jA.j, IIj 6 j.Rj) is the product in C, there exists a morphism 
{filler- (B,S) -> (IIj 6 /Aj,II i6 /i^) such that 7T; o (/j) ie / = /j for all i € /. The equivalence 
class [(fi)iel] °f this morphism is the required unique morphism in T>. It makes the required 
diagrams for the products commute, because 

\/i G /. [TTi] o [(/i) i6 j] = [tt< o (/i> ie j] = [/J. 

For the uniqueness, suppose that [fe] is another morphism in D that makes the diagram 
commutes. Then, [A;] must be equal to [A;] = [(fi)iei], as shown below: 

(Vi G /. [7Tj] o [k] = [fi]) ^==> (V? G /. [7Tj ofc] = [/j]) (•.• ~ is preserved by o) 

=> [<7Ti o A;)i 6 j] = (•.• ~ is preserved by the pairing) 

W = [</i)ie/]- 

Second, we show that P has the exponentials. Let ((A, R), (B, S)) be a pair of objects 
in V. We prove that {A => B,R ^ S) is an exponential of this pair, and the evaluation 
morphism is the equivalence class [ev]. Consider a morphism [/] : (C, T) x (A,R) — > (B,S) 
in P. We need to prove that the universality requirement holds for [/]: there exists a unique 
morphism [#] : (C, T) -> (A =>- 5, i? 5) in V such that 

[/] = [ev]o([ 5 ]o[ 7 ro],[7r 1 ]}. 

The equation in the requirement implies that [g] should be equal to [curry(/)]: 

[/] = [ev] o {[g] o [vr ], [7ri]} [/] = [ev] o {[g o vr ], [ni]) (•/ the composition preserves ~) 

=^> [/] = [ev] o [(^ o 7To, 7Ti)] ('.' the pairing preserves ~) 

==^ [f] = [ev o (g o 7To, 7Ti}] ('.' the composition preserves ~) 

[curry(/)] = [curry(ev 0(^0 7ro,7ri})] (•.■ curry preserves ~) 

[curry(/)j = [#]. 

Thus, X> has at most one morphism [g] that satisfies the universality requirement. We now 
show that [curry(/)] satisfies the requirement. By the definition of curry, we have that 

/ = evo (curry (/) ovr ,7ri}. 

This equation implies that [curry(/)] makes the required diagram commute: 

/ = ev o (curry(/) o vr , tti) => [/] = [ev o (curry(/) o vr , tti}] 

^> [/] = [ev] o [(curry(/) o 7r ,7ri)] ('.- o preserves ~) 

^> [/] = [ev] o ([curry(/) o tt ], [m]) (•/ pairing preserves ~) 

=> [/] = N ([ curr y(/)] ko], ki]) ('■' preserves ~). 

Finally, we prove the three properties of inv'. Note that the categories C and V have the 
same collection of objects, and they have the same exponentials and same small products, 
as far as the objects are concerned. Moreover, for objects, the functors inv'(— ,p) and 
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inv(— ,p) are identical. Thus, inv (— ,p): T> — > T> preserves the exponential objects and 
small product objects in T> if and only if inv(— ,p) preserves those in C; the right hand side 
of this equivalence holds by Lemma 14.31 The functor inv'(— ,p) also preserves [ev] and [iri], 
because inv'([_f],p) = [inv(/,p)] = [/]. So, inv'(— ,p) preserves the CCC structure and the 
small products. 

For the second property of inv', we note that the equation in the property holds for 
the objects, because for all predicates r, functors inv'(— ,r) and inv(— ,r) behave the same 
on the objects, and inv(— ,p) o \nv(—,q) = inv(— ,p * q). The equation also holds for the 
morphisms, because inv'([/],r) = [/] for all f,r. 

For the third property of inv', we recall that tri' = E o tri. Thus, it is sufficient to show 

that 

inv'(— ,p) o E o tri = E o tri(— * p, — * p). 

The equation holds for the objects; E is the identity on the objects, inv and inv' are the 
same for objects, and inv(— ,p) o tri = tri ( — *p, — *p). For the morphisms, the equation also 
holds, because both sides of the equation map each morphism in V op x V to the equivalence 
class of an inclusion. □ 

Lemma 4.8. The functor E from C to T> is full, preserves the CCC structure as well as 
small products, and makes the following diagrams commute: 

C x V r C P op x? C 

Ex\d E Id 

VxV r V V° p X V V 

Proof. The categories C and T> have the same collection of objects, and their CCC structure 
and small products are identical, as far as the objects are concerned. Since E is the identity 
on objects, it preserves the exponential objects and small product objects. Moreover, E 
preserves the evaluation and projection morphisms, because the evaluation and projection 
morphisms in T> are just the equivalence classes of the corresponding morphisms in C, and 
E maps / to its equivalence class [/]. Thus, functor E preserves the CCC structure and 
the small products of C. 

The commutative diagram for inv holds for the objects, because inv and inv' behave the 
same for the objects and E is the identity on the objects. To show that the diagram also 
holds for the morphisms, we pick an arbitrary morphism (f,p Eg) in C x V r . Then, 

(mv'o(Ex\6))(f,p^q) = \nv'([f],p C q) = [/] = (E o inv)(/,p C g ). 

Finally, the commutative diagram for tri' is the definition of tri', so it must hold. □ 



4.2. Interpretation of the Language. We interpret the language in two steps. First, 
we define the semantics [— ] c in the family fibration Fam(C) — > Set. Each base set in the 
fibration models all the possible environments for a fixed shape of the stack (i.e., a fixed 
set of integer variables A). For instance, the object {(A, -R^l^efA] assumes that all the 
available integer variables are in A, and it specifies a type dependent on the values of 
such variables, given by rj. The types and terms of our language are interpreted using the 
categorical structure of the fibration. Next, we quotient the semantics [— ] c to get more 
abstract, official interpretation [— ], which uses category V instead of C. 
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4.2.1. Semantics f— J in Fam(C) — > Set. The interpretation is explicit about the set of 
variables under which we consider types, type assignments, and terms. Write A h T to 
mean that A h T(x) : Type, for all x in the domain of T. 

The semantics of A h 9(: Type) and A h T is given by a family of objects in C indexed 
by the environments in [A]. The precise definition of \9} c and [r] c is given as follows: for 
r/m[A], 

{Ah{P}-{Q}f v = tridAhP^IAhQU 
[Ah 9 ®Pf v = inv([AI-0]g,[AI-P]„), 
[Ah 9^9% = [AH]^[Ah^, 

[Ah 11^ = u n€Val iAu{i}h9f ri[i ^ n] , 
[Ahrjc = n, edom(r) [Ahr(x)]^. 

Note that tri is used to interpret the triple type {P}-{Q}, and inv to interpret the invariant 
extension 9 P. 

Each subtype relation 9 1 is interpreted as a family of morphisms in C of the shape 

{\x.x:lAh9f v ^lAh9%} ve[Aj . 

Note that every morphism in the family is implemented (or realized) by the identity function. 
In order for this definition to typecheck, the underlying cpo of the source object [(9]^ should 
be included in that of the target [#']-, and the parameterized per of the source should imply 
that of the target for all instantiations. In the lemma below, we prove that both of these 
requirements hold. 

Lemma 4.9. // a subtype relation 9 0' is derivable, then for all n in [A] , 

(1) objects [A h 9J^ and [A h #']^ have the same underlying cpo, and 

(2) their per parts R and R' satisfy that \/p. R(p) C R'(p). 

Proof. The proof proceeds by the induction on the derivation of 9 if! a 0' . First, we consider 
the base cases where 9 ^a &' is proved by an axiom. In all the base cases except the gen- 
eralized frame rule, objects [6*]^ and [#']^ are identical, because inv preserve all categorical 
structure used to interpret types (Lemmas 14.31 14.41 and l4.5p . When 9 ^a 0' is derived by 
the generalized frame rule, so that 9' = 9 ® P for some P, object [#']^ is inv([6*]^, [P]^)- 
Thus, by the definition of inv, there exist A and R such that 

{9% = (A,R(lP]v*-)) and [0]J = (A,R). 

The above two equations show that \9'\^ and {9}^ have the same underlying cpo. They also 
imply the requirement for the parameterized pers, because R(p) C R(p* {P} v ) = -P([Plr? *p) 
for all p. 

Second, we consider the case that Consequence is applied in the last step of the deriva- 
tion. In this case, the derivation of 9 ^a has the following shape: 

Vr/ € [A]. [P%, C [PI,, A \Q\ n , C {Q'l n , 

{P}-{Q} {P'HQ'} 

By the definition of the semantics of types, both [{P}-{<2}]^ and [{P'}-{Q'}]^ have comm 
as their underlying cpo. We will now show that their parameterised pers also satisfy the re- 
quirement in the lemma. Let R,R' be parameterized pers of [{P}-{<2}]£ and [{P'}-{<5'}lS, 



22 



L. BIRKEDAL, N. TORP-SMITH, AND H. YANG 



respectively. Then, for all p and co,ci G comm, 

c [R(p)]a (V/i G [P]„*p*irae. c (/i)=ci(/i)) A (c ,ci G |P(p)|) 

(V/i G [P]„*p*fr«ue. c (/i)=ci(/i)) A (V/i G [P] v *p. (c (h), Cl (h) C [Q]*p)) 
(V/i G [P']„*p*i rae . c (/ l )=c 1 (/ l )) A (V/t G [PVp. (co(/i),Ci(/i) C [Q']*p)) 
(V/i G [P / ] r) *p*irae. c {h)= Cl {h)) A (c ,ci G |P»|) 
c [P / (p)]ci. 

The implication above uses the assumption that P' is the strengthening of P and Q' is 
the weakening of Q, and all the equivalences are simply the rolling or unrolling of some 
definition. We have just shown that R(p) C R'(p) for all p, as required. 

Third, we consider the cases of inference rules for the type constructors, — >, IT and 
<8). All these cases follow from the induction hypothesis and the definition of appropriate 
functors, which are used to interpret — II and <8>. We illustrate this general pattern by 
proving the case of — Suppose that the last step of the derivation of 9 Q' has the form: 

#o — ► @i ^A O'o — » 

For i = 0,1, let (A u Ri) = [0j]£ and (A'^R'A = [0^. Then, by the induction hypothesis, 
we have that 

A' = Aq, A[ = Ai, (Vp.i^(p) C P (p)), and (Vp.P^p) C Pi(p)). 

So, the underlying epos of [0o — > 0i]^ and [0q — > 0^ are the same cpo of continuous 
functions from Aq to Ai. The remaining requirement is to show that (Rq =>■ R\)(p) C 
(Pq =4> i?j)(p) for all p, and it is proved below: 

/[(P i?i)(p)]s Vp . f[Ro(p*Po) -> Pi(p*Po)]5 (•■• Def. of P Pi) 

Vp . f[R' (P*Po) -> #i(p*Po)]s (••■ Vq.R' (q)CR ( q ) A R^CR'^q)) 

f[(R' => Pi)(p)] 5 (••• Def. of P^ P' x ). 

Finally, we consider the inference rule for transitivity. Suppose that the last step of the 
derivation of 6 0' has the form: 

0=<A0 O O ^A0' 
±A 0' 

By the induction hypothesis, all of [0J^, [6o\ c rj and [0']^ have the same underlying epos. Let 
R,Rq,R' be parameterized pers of [0]^, [0o]eia an d [0']^ respectively. By the induction 
hypothesis again, we have that 

Vp. P(p) c P (p) c P'(p). 

We have just shown that the lemma holds in this case. □ 

Finally, we define the semantics of each typing judgment T I~a M : 9 by an indexed 
family of morphisms in C of the form: 

{/,:[Ahr]^[Ah^}, e[A1 . 
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The semantics is given by induction on the derivation of the judgment, and it is shown in 
Figure [6l The interpretation uses the categorical structure of C in a standard way. The 
only specific parts are the interpretation of basic imperative operations, where we use six 
basic semantic constants 

skip, seq, new, read, free, and write, 

which are also defined in the figure. 

For this interpretation of terms, the question of well-definedness arises, because of the 
introduction and elimination of dependent function type TliO. The semantic definition of 
Xi.M assumes that if T does not contain the variable i, it is interpreted as the same object 
in C no matter how we change or even drop the value of i in the index. The definition 
of [M-E 1 ] assumes that the reindexing precisely models the substitution. The following 
lemmas show that these two assumptions indeed hold. 

Lemma 4.10. // i A and A h 6, then 

y V e [A] . Vn G Val. [A h Of, = [A U {i} h ef v[l _ n] . 

Proof. The lemma can be proved by straightforward induction on the structure of 8. We 
omit the details. □ 

Lemma 4.11. If i £ A and AhP, then 

Vn G [A]. Vn G Val. [A h r]J = [A U {*} h r]^. 

Proof. The lemma follows from Lemma 14.101 as shown below: 

[A u {*} h rf v[i ^ n] = n xedom(r) [A u {*} h r(x)f v[l ^ n] 

= n xedom(r) [Ahr(x)]C (-.- Lemma KM 

□ 

Lemma 4.12. // i£ A, Au{i}h 9, and A h E, then 

Vn G [A]. [A h 9[E/i]f v = [A U {i} h 9f v[ ^ lEU . 

Proof. This lemma holds because the reindexing of the family fibration Fam(C) — > Set 
preserves on the nose all the categorical structure that is used to interpret types. A more 
concrete, direct proof can be obtained by induction on the structure of 6. We omit the 
details. □ 



4.2.2. Semantics [— ] in Fam(D) — > Set. The official semantics [— ] of the language uses 
the fibration Fam(T>) — > Set, rather than Fam{C) — > Set. It is obtained by applying the 
embedding functor E: C — > T> to the semantics [— ] c of the previous section. Concretely, 
the semantics [— ] is defined as follows: for all r) G [A], 

[A\-e\ v = E({Ah9f n ) = [Ah0]C 

[Ah-r], = £([Ahrg = [Ah-rjc, 

[rh A M:^ = £([rh A M:^). 
Note that in the first two equations, we use the fact that E is the identity on objects. 
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{T,x: eh A x:ej c v p = p(x) 



11 7/ 1 

[T h A Ax: 9.M : -» 0']<;p: 
[r h A MM' :9]%p: 



[T h A AIM : II^p 
[T h A M£:fl[i?/i]]^: 
[T h A M:0']£ p: 



Ac. [r,x: 0h A M:^(pM) 

(p h A M : 0' - 0]£p) ([r h A M' : 0']£p) 

An. [r h Au{l} M : Of^p 

(p h A M : lUOfip) ({Ejv) 

({0 (J']?) (F h A M : 0]gp) 



[T h A fixM : 0]$p = Ifix ([rh A M:^ 0]^p) 
[r h A ifzPMM' : {P}-{Q}f v p = \f ([A h P]„=0) 



[T h A M;M' : {P}-{Q}]^= seg (|T h A M:{P}-{P'}]£p, 



then [r H A M : {P A E=0}-{Q}fp 
else [r K A M' : {P A P^0}-{Q}]Cp 



[r h A skip:{P}-{P}]^: 
[r h A let i=new in M : {P}-{Q}]^ = 



[rh A M':{P'}-{Q}]^) 
s/cip (_L) 

new (An. {T h Au{i} M:{i^-*P}-{Q}f v[t ^ n] p) 



[rh A leti=[P] in M:{3i.E^i*P}-{Q}}Cp = read ([A h 

(An. [r h AuW M:{P^*P}-{Q}]^ n] p) 
[r h A free(P) : {£^-}-{emp}]£p = /r ee ([A h P],) (±) 
[r h A [E]:=E' : {^-}-{^P'}]^ = write ([A h P]„ [A h P'] T; ) (±) 

where s&ip, seq, new, read(m), free(m), and write(m,m') are the following morphisms in 

C: 



my- 



— G Pred 

skip p 
skip p 

Se Qp,p',q 

seq 



def 



{[m^n] | n G Val} 



mi— m G Pred 



def 



{[rn^n]} 



dcf 



dcf 



new 



P,<2 

new 



rearf(m) ({pn}nig) 
read(m) 

free (m) 
/ree (m) 

write(m, m') 
write(m, m') 



dcf 



def 



dcf 



dcf 



1 -» tri(p,p) 
Ax. A/i.{/i} 

tri(p,p') x tri(p',gj -» tri(p,g) 

A(c,c'). A/i. {wron^ | wron^ G c(h)} U U{ c '(^') I h ' G C (M) 

(n ne va|tri(n^- *p,q>)) -> tri(p,g) 

Xc.Xh. U{c(n)([n->n'] ■ ft) | n,n' G Va/ A n dom(/i)} 

(n n6 y- a ;tri(mi-m *p n ,g)) -> tri(|J{mi-^n * p n | n G Val}, q) 
Ac. Aft. if m G dom(ft) then c(h(m))(h) else {wrong} 

1 — > tri(mi— >— , emp) 

Ax. Aft. if m G dom(ft) then {/i[m^nnde/]} else {wrong} 
1 — > tri(mi— >— , mi->m') 

Ax. Aft. if m G dom(/i) then {/i[m-»m']} else {wrong} 



Figure 6: Interpretation of Terms 
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We point out that [— ] can be presented in a compositional style, using the categorical 
structure of the fibration Fam(T>) — > SetQ In that presentation, the types are interpreted 
using exponentials, small products, inv' and tri' for T>; and the terms are interpreted by ap- 
propriate categorical combinators and the embedding of the six constants in Figure This 
direct definition of [— ] is identical to the semantics in this section, because the embedding 
functor E preserves all the relevant categorical structure (Lemma 14.81) . 

4.3. Adequacy. Our semantics of terms needs further justification in two ways. First, 
the interpretation of a typing judgment needs to be shown coherent. The interpretation is 
defined over a proof derivation of the judgment, so two different derivations of the same 
judgment might have different denotations. This is troublesome for us especially, because 
our goal is to give a semantics of a programming language with a separation-logic type 
system, instead of a semantics of a proof in separation logic. Second, the connection with 
the standard semantics needs to be provided. Our semantics uses subsumption which never 
arises in the standard interpretation. Thus, it could be substantially different from the 
standard interpretation. In this section, we provide justification for both of these two 
issues. 

We consider another interpretation [— ] CP0 of our language, called standard interpre- 
tation, which ignores all assertions in the types. In the standard interpretation, {P}-{Q} 
means the same thing no matter what P and Q are, and for all P, 9 ® P and 6 have 
identical interpretations. Let tri" be the constant functor from V op x V to CPO such that 
tri"(p, q) = comm, and let inv" be a functor given by the first projection from CPO x V r to 
CPO. The standard interpretation is the interpretation in Section [4.2.H where we use CPO, 
tri" and inv" instead of C, tri and inv. It interprets types and type assignments just like the 
interpretation in Section [4.2.H but it uses functors on CPO, instead of those on C. 

Lemma 4.13. If a subtype relation 9 if! a &' is derivable, then 9 and 9' have the identical 
denotation in the standard interpretation. 

Proof. We prove the lemma by induction on the derivation of the subtype relation 9 & ■ 
First, we consider the case that the subtype relation is derived by an axiom. In all six 
axioms, 9 and 9' are both Hoare-triple types, or they are different only for the invariant 
added by (g>. Note that in the standard interpretation, all triple types mean the same cpo 
comm and the added invariants by <g> are ignored. Thus, we have that {9}^° = \9% P0 for 
all environments rj € [A]. Next, we consider the cases where some inference rule is applied 
at the last step of the derivation. Pick an environment r\ in [A]. If the last rule in the 
derivation is Consequence, both 9 and 9' are Hoare-triple objects, so [0]^ PO and [0']^ PO are 
the same cpo comm. If the last applied rule is an inference rule other than Consequence, 
[#]^ P0 and [#']£ P0 are obtained by applying the same functor on the denotations of their 
subparts. By applying the induction hypothesis to these subparts, we can prove the lemma. 
For instance, if the last applied rule is the structural rule for — ►, there are 9q,9' ,9i, 9[ such 
that 

= O ->01, 9 = 9' ^9[, 9' ^ A 9 , and 9 1 <^9[. 
By the induction hypothesis, {9^° = [0-]£ P ° for » = 0,1. This implies that {9j^ P0 and 
[#],C p0 are identical. □ 



'The conference version of this paper defined [— ] in such a style. 
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The standard interpretation defines the meaning of typing judgments T I~a M : 9, 
by repeating the clauses in Figure [6j Although the interpretation is given inductively 
on the typing derivation, Lemma T4.13I ensures that [r I~a M : #] CP0 does not depend on 
derivations, because it guarantees that \9 6>'] cp0 is the identity morphism. As usual, we 
can give the operational semantics, and prove the computational adequacy of the standard 
interpretation. Since this is completely standard, we omit it. 

The standard interpretation is closely related to the semantics [— ] in Section 14.2.11 
Note that from the category C to CPO, there is a forgetful functor F that maps an object 
(A,R) to A, and a morphism / to /. This forgetful functor preserves all the categorical 
structure of C that we use to interpret the types of our language: 

Lemma 4.14. F is a faithful functor that preserves the CCC structure and the small 
products ofC, and makes the following diagrams commute. 

C x V r — C V op x V — — C 

Fxld F Id 

CPO x V r CPO V op x V CPO 

Proof. First, we prove that the forgetful functor F preserves the exponentials and small 
products of C. For this, it is sufficient to prove the preservation of four elements: exponen- 
tial objects, small product objects, evaluation morphisms, and projection morphisms. Note 
that both the CCC structure and small products of C are defined using the corresponding 
structure of CPO; the first components of exponential objects and small product objects 
of C are defined by exponential objects and small product objects of CPO, and evaluation 
morphisms and projection morphisms in C are precisely evaluation morphisms and projec- 
tion morphisms in CPO. Since F projects the first component of each object in C and maps 
each morphism in C to itself, it preserves the required four elements. For instance, for all 
objects (A,R), (B,S) in C, the first component of their exponential (A,R) =>■ (B,S) is the 
cpo A =>■ B of continuous functions from A to B, which is precisely the exponential of A 
and B in CPO. Thus, F((A,R) (B,S)) is F{A) => F{B). 

Next, we prove that the diagram for inv and inv" commutes. Since inv" is the projection 
of the first component, inv" o [F x Id) is F o fst. So, it suffices to show that F o fst = F o inv. 
Consider objects ((A, R),p), ((B, S),q) and a morphism (f,p C q) : {{A, R),p) — > ((B, S),q) 
in C x V r - Then, 

(Famv)((A,R),p) = F(A,R(p*-)) = A = (F o fet)((A, R),p), and 
(Fo inv) = F(f) = f = (Foht)(f,pQq). 

Thus, F o fst = F o inv, as required. 

Finally, we prove the commutative diagram for tri and tri". Consider objects (or pred- 
icate pairs) (p,q),(p' ,q') and a morphism (p' C p,q C q') \ (p,q) — > (p',q') in V op x V. 
Then, 

(F o tri)(p, q) = F(\p,q]) = comm and (F o tri) (p' C p, q C q') = id. 

Thus, F o tri is the constant functor to comm, so it is identical to tri". □ 

Lemma 14.141 implies that the interpretation of types in CPO factors through the inter- 
pretation in C. The following lemma show that the interpretation of terms has a similar 
property. 
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Proposition 4.15. The functor F: C — > CPO preserves the interpretation of terms: for all 
typing judgments T h A M : 9 and all rj G [A], 

F([r h A M : 9f n ) = [T h A M : 0]J PO . 

Proof. Pick an arbitrary 77 € [A] and choose any p' G [r]^ P0 . Then, 

F([r h A M : = [r h A M : 0f v p', 

because F(f) only changes the "type" of /, not the implementation of /. Thus, it is 
sufficient to show that 

Vry, p'. [r h A M : 9j c v p' = {T h A M : < P0 p'. 

We prove this equality by induction on the derivation of V h A M : 9. Since [— ] CP0 and 
[— ] use the same clauses to define the meaning of V h A M: 9, the induction easily goes 
through in all cases. For instance, consider the case where the subsumption rule is applied 
at the last step of the derivation. For all environments n G [[A] and all p' G [r]^ P0 , 

[r h A M : 9f v p> = {9 r< A 9f v ([r h A M : 9 f v p') 

= lTh A M:9 f v p> (:■ \9 G < A 9f r] x = x) 

= [r h A M : 9 j^ PO p' (■■■ Induction Hypothesis) 

CPO\ „ fir U. M ■ fl„HCPO J\ (. . Tfl„ . flUCPO _ _ _\ 



{{9, ±a 9}?°) o ([r h A M : O ]CPO p0 (v [0o ^ 
[T h A M : 0]CPO 



□ 



Recall that the official semantics [— ] of our language is obtained by applying the full 
functor E to the semantics [— ] c , and that the functor F is faithful. Together with these 
facts, Lemma [4.14l and Proposition ^. 15l show that the official semantics [— ] is obtained from 
the standard interpretation [— ] CP0 by first selecting some elements, and then quotienting 
those selected elements. 

Corollary 4.16. The semantics [— ] is coherent: the semantics of a typing judgment does 
not depend on derivations. 

Proof. Let V\ and V2 be two derivations of a judgment V h A M : 9. We note that the 
standard semantics is coherent; only the subsumption rule is not syntax-directed, but in 
the standard semantics, this rule does not contribute to the interpretation, because all 
the subtype relations 9 ^ A 9' denote the family of identity morphisms. Thus, for all 
environments n G [A], we have 

pu cpo = m c v P0 - 

Then, by Proposition 14.151 and the faithfulness of F, 

pycro = pp 2 ]CPO F{iVif v ) = F(lV 2 f v ) 

=> iPifv = (■•• F is faithful ) 

=► E(\V$) = E(lV 2 f v ) 

Wxlr, = {Pilv (•■• Definition of [-1). 

□ 



28 



L. BIRKEDAL, N. TORP-SMITH, AND H. YANG 



5. Conjunction Rule 

The conjunction rule is often omitted from Hoare logic, but it is a useful proof rule that 
lets one combine two Hoare triples about a single command. In our type system, it can be 
expressed as follows: 

r h A m : {P}-{Q} r h A M : {P'}-{Q'} 

rh A M : {P AP'}-{Q AQ'} 

Unfortunately, we cannot immediately include the conjunction rule in our type sys- 
tem. In [9], Reynolds has proved that if a proof system contains the conjunction rule 
and the second-order frame rule, together with Consequence and the ordinary (first-order) 
frame rule, then the system becomes inconsistent. More specifically, Reynolds's result im- 
plies that once the conjunction rule is added to our type system, we can derive h{} skip : 
{(3x,y.x^y) * true}-{false}, which incorrectly expresses that skip diverges when the input 
heap is not empty. 

In the case of the second-order frame rule, several solutions have been proposed to 
overcome this problem. In this section we adopt one of the proposals, modify the separation- 
logic type system accordingly, and extend the modified system with the conjunction rule. 
Then, we define an adequate semantics of the new type system, thereby showing that all 
the higher-order frame rules can be used with the conjunction rule, as long as the frame 
rules add only precise invariants. 

We recall the definition of precise predicates in separation logic [9]. A predicate p is 
precise if and only if for every heap h, there is at most one subheap ho of h (i.e., ho ■ h\ = h 
for some hi) such that ho £ p. We also call an assertion A h P precise when [P]^ is a 
precise predicate for all rj £ [A]. 

The proposal that we use is to restrict the second-order frame rule such that it is used 
with only precise assertions. We adopt the proposal in our separation-logic type system by 
limiting the second parameter of the type constructor (g> to precise assertions. Note that 
in the resulting restricted type system, only precise assertions can be added as invariants, 
because the generalized frame rule 9 0®P is applicable only with a precise assertion P. 
Thus, the second or third order frame rule can add only precise assertions as invariants. We 
may then extend the restricted type system with the conjunction rule. Note that the result 
of this extension, denoted T, includes the conjunction rule and all (restricted) higher-order 
frame rules. In the remainder of this section, we focus on giving an adequate semantics of 
T. 

Before giving the semantics of T, we point out that requiring invariants to be precise 
is not as restrictive as it seems; all the examples in Section 13.11 use precise invariants only, 
so they typecheck in T. 

The semantics of the type system T is given by categories Co and T>o- The category Co 
is identical to C, except that the per component of each object is parameterized by precise 
predicates, instead of all predicates. An object in Co is a pair of cpo A and parameterized 
per R, such that (1) the parameterization of R is over precise predicates, and (2) for all 
precise predicates p, q, the per R{p) implies R{p * q), i.e., R{p) C R(p * q). A morphism 
/: (A,R) — > (B,S) in Co is a continuous function ,/From A to B that maps i?(p)-related 
elements to S'(p)-related elements for all precise p. The other category T>o is constructed 
by quotienting morphisms in Cq, in the same way as T> is constructed from C. 



SEMANTICS OF SEPARATION-LOGIC TYPING AND HIGHER-ORDER FRAME RULES 



2!) 



The categories Co and T>o have all the categorical structure that we have used in the 
semantics in Section HJ They are cartesian closed categories with all the small products, and 
they have functors for invariant extension and Hoare triples. The only subtlety is that the 
preorder V r , which is used for functors for invariant extension in Section U is now replaced 
by the preorder of precise predicates with the following order Q p : for all precise predicates 
P,Q, 

P Qp Q there exists a precise r such that p * r = q. 

This categorical structure is preserved by the functors for invariant extension, the forgetful 
functor Fq : Co — > CPO, and the quotienting functor Eq : Co — ► T>o, in the way expressed by 
Lemmas 14.3} 14.141 an d 14.81 All the definitions and results in Section 14.21 and 14.31 can easily 
be transferred to Co and T>o, as long as they are concerned with T without the conjunction 
rule. We now explain how to soundly interpret the conjunction rule. 

Define a continuous function con from comm x comm to comm as follows: 

wrong G con(c,d)(h) -4=^ wrong G c(h) Ud(h) 
ti G con(c,d)(h) ^ tie c(h) n c'(h) 

Function con is the key element in our interpretation of the conjunction rule. Intuitively, 
con(c,d) is a command that is better than c and d: it satisfies more Hoare triples than 
c and d, as long as we consider triples with sufficiently strong preconditions, those which 
ensure that both c and d run without generating wrong. 

Lemma 5.1. Function con is well-defined. In particular, for all (c,d) 6 comm x comm, 

con(c,d) satisfies the safety monotonicity and frame property. 

Proof. The continuity follows from the fact that con(c, — ) and con(—, c) preserve arbitrary 
nonempty unions. Here we focus on proving that con is a well-defined function. Pick 
(c, c') G comm x comm. To prove that con(c,c') G comm, we should show that con(c,d) 
satisfies the safety monotonicity and the frame property. 

• Safety Monotonicity: Consider heaps ^o>^l such that wrong con(c, c')(ho) and 
ho#h\. Then, wrong is neither in c(ho) nor in c'(ho). Thus, by the safety mono- 
tonicity of c and d , we have that wrong ^ c(ho ■ h\) and wrong c'(/io • hi). This 
implies that wrong con(c,c')(ho ■ h\), as required. 

• Frame Property: Suppose that ho#h\, wrong con(c, c')(ho), and ti G con(c, c')(ho- 
h\). Note that while proving the previous item, we have shown two facts: (1) 
con(c, c')(ho ■ hi) does not contain wrong, and (2) neither c(ho) nor c'(ho) contains 
wrong. The first fact implies that con(c, c')(ho ■ hi) = c(ho ■ hi) He' (ho - hi), because 
by the definition of con, 

c(ho • hi) n c'(ho • hi) C con(c,c')(ho • hi) 

C (c(/io • hi) n c'(ho ■ /ii)) U {wrong}. 

Since ti is in con(c, c')(ho ■ hi) and con(c,c')(ho ■ hi) = c(ho ■ hi) r\c'(ho • hi), heap 
ti is in c(ho ■ hi) as well as in d(ho ■ hi). Moreover, by the second fact proved in the 
previous item, wrong c(ho) and wrong c'(ho). Thus, we can apply the frame 
property of c and d here. Once the property is applied, we obtain subheaps h' ,h,Q 
of ti such that 

h' -hi = h' ' ■ hi = ti A h' G c(h ) A ti ' G c'(h ). 
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Note that the equalities force h' and /ig to be the same. So, h' should be in 
c(ho) (~l c'(/io) = conic, c')(/io). We have just proved that h' is the heap required by 
the frame property of con(c, d). 

□ 

For all predicates p, q, define an object [p, q] in Co just like the corresponding triple 
object in C, except that the second component of [p, q] is a family of pers indexed by precise 
predicates. The following lemma expresses that con properly models a semantic version of 
the conjunction rule in Cq. 

Lemma 5.2. For all predicates p,q,p',q', function con is a morphism in Cq that has type 
[p,q] x [p',q'} -> [pr\p',qnq'}. 

Proof. Let R, S, T be pers parameterized by precise predicates, such that 

(comm,i?) = [p, q], (comm, S) = [p', q'], and (comm, T) = [p n p', q fl q'\. 

Because of Lemma 15.11 con is a well-defined continuous function from comm x comm to 
comm. Thus, it suffices to show that for all precise predicates r, 

con[R(r) x S(r) — > T(r)]con. 

Consider precise predicate r, and command pairs (co,c' ), (ci,c[), such that 

(co,c' )[R(r) x 5(r)]( Cl ,ci). 

First, we show that con(cQ,d ) and con(ci,c[) are in the domain of per T(r). We focus on 
con(cQ, c ), because con^ci,^) G \T(r)\ can be proved similarly. Pick a heap h in (pCip') *r. 
Then, h is in p * r and p' * r. Note that Co and c' are in |i?(r)| and |5(r)|, and R and S 
are the per components of [p, q] and \p',q']. Thus, neither co(h) nor c' (h) contains wrong, 
Co(h) Cg*r, and c' C q' * r. Thus, 

con(co,c' )(h) = co(h) fl c (/i) C p * r (1 q' * r = (p(lq')*r. 

The first equality follows from the definition of con, because wrong co(h) and wrong £ 
c' Q (h). And the last equality holds, because for all precise predicates ro, — * r^ distributes 
over fl. 

Next, we show that con(co,c' ) and con(ci,c[) are T(r)-related. Since both con(co,c' Q ) 
and con(ci,c'i) are in |T(r)|, it is enough to prove that 

V/i G (p(lp)*r* true. con(co,c' Q )(h) = con(ci,c'i)(h). 

Pick h from (pOp') *r* true. Then, h £ p*t* true and h £ p' *t* true. Since co[R(p)]ci and 
c' [S'(p)]c / 1 , these two membership relations of h imply that none of co(h), c\{h), c' (h), c[(h) 
contains wrong, cq(K) = c\(h), and c' (h) = c'^h). Thus, 

con(co, c' )(h) = cq(K) n c' (h) = c\ (h) fl d x (h) = con{c\, c' 1 )(/i). 

Since none of cq{K), c\(h), c' (h), c[(h) contains wrong, the first and last equalities follow 
from the definition of con. □ 
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The conjunction rule 

r h A m : {P}-{Q} r h A M : {P'}-{Q'} 

rh A M: {PA P'}-{Q A Q'} 

is now interpreted as follows: 

[T h A M : {P A P'}-{Q A Q% = con' o (IT h A M : {P}-{Q}]* , \F h A M : {P'}-{Q'}]*) 

where X is Co, 2?o or CPO. The standard semantics in CPO and the filtering semantics in 
Co uses con for con', and in a direct-style presentation, the quotienting semantics in T>q uses 
the equivalence class [con] for con' . Note that in the standard semantics, the conjunction 
rule is interpreted as the identity, because con (/,/} = /, for all morphisms / in CPO. 

Since E' and F' preserve the semantic entities for con', they preserve the interpretation 
of terms in the three semantics. ^From this preservation, the coherence of the quotienting 
semantics follows. Moreover, since the conjunction rule means the identity in the standard 
semantics, the preservation of interpretations also implies that the conjunction rule is always 
implemented by the identity function in all three semantics, thereby reflecting the fact that 
the rule does not have any computational meaning. 

6. Related Work 

The (first order) frame rule was discovered in the early days of separation logic [5] , and 
it was a main reason for the success of that logic. For example, it was vital in the proofs 
of garbage collection algorithms in [21] and [4]. Recently, the second-order frame rule, 
which allows reasoning about simple first-order modules, was discovered [9]. This naturally 
encouraged the question of whether there are more general frame rules that apply to higher 
types. 

Other type systems which track state changes have been proposed in the work on typed 
assembly languages [TJ EJ [20] . Their main focus is to obtain sound rules for proving the safety 
of programs. Thus, they mostly use easy-to-define conventional operational semantics, and 
prove the soundness of the proof system syntactically (i.e., by subject reduction and progress 
lemmas), or "logically" [20]: each type is interpreted as a subset of a single universe of 
"meanings," and a typing judgment is interpreted as a specification for the behavior of 
programs, like a Hoare triple in separation logic. Our separation-logic type system is more 
refined in that it allows the full power of separation logic in the types and, moreover, we 
also treat higher-order procedures. 

The semantics of idealized algol has been studied intensively [TTJ [18], [10], [14] . Normally, 
the semantics is parameterized by the shape of the memory. The indexing in the fibration 
in our semantics follows this tradition, and it models the shape of the stack. However, the 
other indexing of our semantics, the indexing by invariant predicates over heaps, has not 
been used in the literature before. 

The construction of the category T> is an instance of the Kripke quotient by Mitchell 
and Moggi [6]. The families of pers in T> form a Kripke logical relation on CPO indexed 
by the preorder category V r ; our condition on each family ensures that the requirement 
of Kripke monotonicity holds. This Kripke logical relation produces T> by Mitchell and 
Moggi's construction. 

The idea of proving coherence by relating two languages comes from Reynolds [19] . 
Reynolds proved the coherence of the semantics of typed lambda calculus with subtyping, by 
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connecting it with the semantics of untyped lambda calculus. We use the general direction 
of Reynolds's proof, but the details of our proof are quite different from Reynolds's, because 
we consider very different languages. 

7. Conclusion and Future Directions 

We have presented a type system for idealized algol extended with heaps that includes 
separation-logic specifications as types and, moreover, defined the coherent semantics of 
idealized algol typed with this system. 

One shortcoming of our type system is that the higher-order frame rules in the system 
allow only static modularity [12J. With the higher-order frame rules alone, we cannot 
capture all the the information hiding aspect of dynamically allocated data structures as 
needed for modeling abstract data types. However, it is well-known that abstract data 
types can be modeled using existential types and we are currently considering to enrich 
the assertion language with predicate variables, as in the recently introduced higher-order 
version of separation logic [3j, and to extend the types with dependent product and sums 
over predicates. 

Yet another future direction is to define a parametric model. Uday Reddy pointed out 
that separation-logic types should validate stronger reasoning principles for data abstraction 
than ordinary types, because they let us control what clients can access more precisely. 
Formalizing his intuition is the goal of the parametricity semantics. We currently plan to 
use category C which replaces each predicate-indexed family of pers in C by a relation- 
indexed family of saturated relations: an object in C is a cpo paired with a family T of 
binary relations such that (1) T is indexed by a "typed" relation r: p <-> q on heaps (i.e., 
r C p x q); (2) for each predicate p, T at the diagonal relation A p is a per; (3) for all 
r:p<^q, T(r) is a saturated relation between pers T(A P ) and T(A 9 ); (4) T[r) C T(r * r'). 
The morphisms in C are continuous functions that preserve the families of relations. This 
category has all the categorical structure of C that we used in the semantics of this paper. 
However, it is difficult to interpret the triple types such that the memory allocator new lives 
in the category. Overcoming this problem will be the focus of our research in this direction. 

Finally, we would like to extend the relational separation logic [22] to higher-order, fol- 
lowing the style of system 1Z [Tj , and we want to explore the Curry-Howard correspondence 
of our type system with specification logic [15] . 
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